Strategy: Cybersecurity on the Offense

Gadi Evron and Michael A. Davis 01/01/13

Strategy: Cybersecurity on the Offense

“Offense is the new defense” for security professionals, according to some. Whether you call it “hacking back” or just plain retaliation, this emerging strategy calls for profiling and, if possible, identifying an attacker in order to take effective countermeasures. It’s a controversial approach IT leaders need to understand.

Why the focus on offense? Most military strategists believe that, all things being equal, defense is the stronger position. Defenders can marshal resources over time, while attackers need to maintain supply lines. Defenders can continuously fortify, while attackers can usually tap their main advantage — surprise — only once. However, in the cyber world, attackers are maneuverable, able to change the source, type and target of an attack at will. The defense is set. In in the age of the Internet and cyber warfare, the attacker is unequivocally stronger. Firewalls and other controls are structured ahead of time; attackers can choose where they strike and how. They can also test themselves endlessly against defenses, such as when malware authors check if their creations are detected by antivirus products before release. To gain access and establish a beachhead requires only one vulnerability. Defenders, however, need to protect everything; hence the focus on risk management. And we’re reactive, responding with whack-a-mole-like precision.

We understand the attraction of turning the tables, but the risk is still too great. What you should do, however, is talk about the concept of offensive cyber security, the value to be gained in trying to identify the entities behind an attack, and what you might do with that information. In the first half of this report, we explore practical and legal challenges with offensive security. We follow up with four steps to establish a proactive posture while still staying on firm ethical ground. (S6420113)